UK General Data Protection Regulation (UK GDPR)

The most common method of complying with the data transfer requirements under the General Data Protection Regulation is the use of standard data protection clauses. Standard data protection clauses make the data transfer between two businesses subject to a legally binding agreement guaranteeing the rights of individuals whose personal data is being transferred.

Standard Contractual Clauses (SCCs) for restricted transfers from the EU

In June 2021, the European Commission adopted new Standard Contractual Clauses which are used to provide safeguards for restricted transfers of personal data from the EU. These were not valid for restricted transfers under the UK GDPR. UK data transfers continued to rely on the older EU SCCs until new UK-specific transfer mechanisms were put in place.

Restricted data transfers from the UK

As of 21 March 2022, businesses subject to the UK General Data Protection Regulation can use new UK equivalents in place of the SCCs for international transfers. These are:

• International Data Transfer Agreement (IDTA) – most likely to be used for transfers of personal data to a single country
• Addendum to the EU SCCs – most likely to be used for transfers involving EU data

The IDTA and the Addendum take into account the data protection concerns raised by the Schrems II case, and require data exporters to carry out a risk assessment before making the transfer to ensure that it is adequately protected.

Find more information on the IDTA and the Addendum.

Organisations had a grace/transition period from 21 March 2022 until 21 March 2024 to replace old EU SCC-based agreements with the IDTA or Addendum for international data transfers, failing which they risk legal penalties.

Contractual clauses are most likely to be appropriate for small and medium-sized businesses. If you are part of a multinational group of companies, and receiving data from within that group, you may not need EU SCCs or IDTAs if your group has approved Binding Corporate Rules in place. Find out about other mechanisms for restricted transfers of personal data.